import DOMPurify from 'dompurify';

// Configure a conservative sanitizer. Allow basic formatting, links, images.
const DEFAULT_ALLOWED_TAGS = [
  'a', 'abbr', 'b', 'blockquote', 'br', 'code', 'em', 'i', 'img', 'li', 'ol', 'p', 'pre', 'span', 'strong', 'u', 'ul'
];

const DEFAULT_ALLOWED_ATTR = [
  'href', 'src', 'alt', 'title', 'target', 'rel', 'class', 'style'
];

// Note: If inline styles need to be restricted more, consider removing 'style' or using hooks.

export function sanitizeHtml(dirtyHtml, options = {}) {
  if (typeof dirtyHtml !== 'string') return '';
  return DOMPurify.sanitize(dirtyHtml, {
    USE_PROFILES: { html: true },
    ALLOWED_TAGS: DEFAULT_ALLOWED_TAGS,
    ALLOWED_ATTR: DEFAULT_ALLOWED_ATTR,
    ADD_ATTR: ['referrerpolicy'],
    FORBID_TAGS: ['script', 'style', 'iframe', 'object', 'embed', 'link', 'meta'],
    FORBID_ATTR: [/^on/i],
    ...options,
  });
}

export default sanitizeHtml;


